United States: HIPAA and WIFI - Regulatory Tangles For Wireless Health Care Networks

New uses for wireless devices in health care administration, practice management, and clinical care are heralded almost daily in the health care press. Wireless networks are being deployed to allow physicians and nurses to access patient records from central databases while on rounds, to add observations to the databases and to check on medications, among a growing number of other functions.

The growing use of wireless networks by health care professionals presents tremendous challenges to health care IT managers. One of the fundamental axioms of IT is that there is a tradeoff between access and security: easier access translates to greater security risks. True to this axiom, the ease of access that wireless networks offer is matched by the security challenges those networks present.

Decisions made today about the deployment of wireless local area networks (WLANs) must take into account the impact of the administrative simplifications of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The HIPAA statute requires health plans, health care providers, and other covered entities to maintain reasonable and appropriate safeguards to protect individually identifiable health information.

Under the HIPAA privacy rules, a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of electronic and non-electronic protected health information. A court asked to determine the meaning of "appropriate safeguards" under this "mini security rule" may well refer to the principles and requirements of the security rules to determine what safeguards an entity should have implemented.

The HIPAA security rules were issued in final form on February 20, 2003. They apply to protected health information in electronic form only. The core principles of the final rules require covered entities to: (1) ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the security rules]; and (4) ensure compliance with the [security rules] by its workforce.

The final security rules offer some flexibility to covered entities attempting to comply with these requirements, however. For example, covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in the security rules.

The requirement that covered entities "ensure" the integrity and confidentiality of health information against reasonably anticipated threats or hazards, however, creates a very high legal and practical standard. The attacks of September 11, 2001, and a number of well publicized incidents of identity thefts made possible by the theft of electronic consumer data, may well have raised the bar even higher regarding what is reasonable and appropriate to protect confidential information of all kinds.

The penalties for violating HIPAA range from $100 per person per incident for run-of-the-mill improper disclosures of health information to $250,000 and 10 years in prison for intentional violations. Statutory penalties may be the least of a covered entity's worries, however, if lax security allows health information to be stolen. There is also a risk of class action lawsuits and, of course, damage to the entity's reputation.

The security rules require covered entities to conduct an assessment of potential risks and vulnerabilities and to implement-and revisit from time to time-security measures sufficient to reduce such risks and vulnerabilities.

If a covered entity assesses the security risks inherent in transmitting protected health information over wireless networks, it will learn that well-known technical deficiencies in the security features of 802.11b technology likely make the technology inadequate, unless it is enhanced. Required technical safeguards that are not met by standard 802.11b wireless network security features include the requirement to implement unique user identification, encryption and decryption, person and entity authentication, and transmission security. The main reason that these requirements cannot be satisfied by deploying only 802.11b technology is that the encryption protocol used in 802.11b products, called Wired Equivalent Privacy (WEP), is fundamentally flawed. The deficiencies in WEP have been widely publicized.

Because the deficiencies in WEP are serious and well-known, a covered entity risks being deemed to not be in compliance with HIPAA requirements if it relies on WEP alone to protect the confidentiality and integrity of data transmitted over wireless networks.

Additionally, covered entities must implement policies and procedures to safeguard equipment from unauthorized physical access, tampering and theft. Special attention should be paid to the danger inherent in the theft of a wireless device that may provide a thief unauthorized access to protected health information.

There are several ways that WLANs are being deployed to make them more secure. These are discussed in more detail in the full article, which is available at http://www.dwt.com/practc/hc_ecom/bulletins/05-03_BNAarticle.htm. Covered health care entities need to consider whether they should postpone deploying an initial WLAN or upgrading an insecure, WEP-based WLAN, until planned changes in wireless network standards are adopted and have been implemented in commercial products. The International Electrical and Electronics Engineers (IEEE) has announced that it plans to adopt 802.11g specifications this summer and is working on the specifications for 802.11i. Some 802.11g products that were released before the standard is finalized have had inadequate security features and some 802.11g products have proven not to be compatible with 802.11b equipment. Presumably 802.11g products developed after the 802.11g standard is released will not suffer from interoperability problems. 802.11g networks also will be more secure than 802.11b networks if they are deployed using the WPA encryption protocol rather than WEP.

Those who are charged with maintaining the security of health care information systems carry a heavy burden. As technology changes constantly, those rules require covered entity managers and their lawyers to regularly evaluate the impact of those changes on the security of their networks.

To review our underlying article, "No Rest for the Wary," which was published by BNA's Electronic Commerce & Law Report, Vol. 8, No. 20 on May 21, 2003, click here.

Published by DWT's eHealth/HIPAA Group

This Health Law Advisory is a publication of the Health Law Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2003, Davis Wright Tremaine LLP. Please do not reprint or post on your website without explicit permission. To subscribe to this list send a message to HIPAA@dwt.com. To unsubscribe, send a message to HIPAA@dwt.com and type "Delete" in the Subject line.